如何使用Powershell从PFX证书获取公钥？

Question

I am trying to extract the public key from a certificate using Powershell. However, whenever I use the Powershell command Get-PfxCertificate it only outputs the Thumbprint of the certificate and not the public key. How can I get it to output the public key?

Answer 1

To retrieve the public key from a PFX certificate using Powershell, use the following command:

(Get-PfxCertificate -FilePath mycert.pfx).GetPublicKey()

To convert the public key to a hex string without hyphens you can use this command:

[System.BitConverter]::ToString((Get-PfxCertificate -FilePath mycert.pfx).GetPublicKey()).Replace("-", "")

Answer 2

Be aware, that Get-PfxCertificate temporarily stores your private key at %ProgramData%\\Microsoft\\Crypto\\RSA\\MachineKeys , where everyone could read it.

If that is not a desirable behavior, than you should probably use either import method or constructor of the X509Certificate2 .NET object with EphemeralKeySet as a key storage flag, which indicates that private key should be created in memory and not persisted on disk when importing a certificate, eg:

$Cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2
$FullPathToCert = Resolve-Path -Path .\cert.pfx
$Password = Read-Host 'Password' -AsSecureString
$X509KeyStorageFlag = 32
$Cert.Import($FullPathToCert, $Password, $X509KeyStorageFlag)
$Cert.GetPublicKey()

Notes

• EphemeralKeySet flag supported by .NET Framework 4.7.2 , .NET Core 2.0 and above;
• $X509KeyStorageFlag = 32 is just a shorthand for the $X509KeyStorageFlag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::EphemeralKeySet

Further reading

• X509KeyStorageFlags enumerator spec https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509keystorageflags
• Eight tips for working with X.509 certificates in .NET: http://paulstovell.com/blog/x509certificate2